Amazon Says Employee Data Impacted In Third-Party Breach

The company confirmed that some employee data, including names and email addresses, was obtained by a threat actor.

Amazon confirmed Monday that some employee data, including names and email addresses, was obtained by a threat actor in a breach that impacted a third-party vendor.

In a post on a hacker forum, a threat actor claimed that the data was stolen during the widespread 2023 attacks that exploited a vulnerability in Progress’ MOVEit file transfer tool, according to a report from 404 Media.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

In a statement provided to CRN, Amazon attributed the data theft to an incident that affected a third-party vendor.

“Amazon and AWS systems remain secure, and we have not experienced a security event,” the company said in the statement. “We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon.”

Along with Amazon employee names and email addresses, the stolen data also included phone numbers and locations where the employees worked, the Amazon statement said.

The third-party vendor breached in the attack was not identified.

The MOVEit data theft and extortion attacks in 2023 struck a total of 2,773 organizations and nearly 96 million individuals, making it one of the largest data heists in recent years, according to tallies by cybersecurity firm Emsisoft.

Within the IT industry, victims of the MOVEit data extortion campaign included IBM, Cognizant, Deloitte, PricewaterhouseCoopers and Ernst & Young.